[Snort-sigs] Unknown IIS Issue

Matthew Jonkman matt at ...2436...
Mon Jul 19 14:30:19 EDT 2004

Yes, I agree it does. In fact we had 2 rules on bleeding that both 
covered it by just seeing the THCOWNZIIS string in the ssl stream. I was 
just talking to 2 people today though that are not seieng both 
signatures trip at the same time, which I assume should happen.

I'm getting 40 or 50 hits on the sig just looking for THCOWNZIIS that 
look legitimate. They're in an ssl stream close to the beginning of the 
conversation. But no hits on 2515 at the same time.

I haven't had time to look into it yet though. Once I do I'll send 
packet dumps out to see if anyone has any odeas.

Thanks Matt


Matthew Watchinski wrote:

>  From reading the ISC reports and looking at the packet payload sid:2515 
> already covers this.
> Cheers,
> -matt
> Matthew Jonkman wrote:
>> ISC is tracking a potential new IIS ssl exploit. Put up a real quick 
>> rule to see if it's going around:
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"BLEEDING-EDGE 
>> THCOWNZIIS IIS SSL Exploit Attempt"; 
>> reference:url,isc.sans.org/diary.php?date=2004-0
>> 7-17; content:"THCOWNZIIS!"; sid:2000559; rev:1;)
>> It's in the Bleeding Rules now, www.bleedingsnort.com. If anyone knows 
>> more about it let us know please.
>> Thanks
>> Matt

More information about the Snort-sigs mailing list